From b9bb2d698cb538c75a634738948f4dca657d7544 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Sun, 8 Mar 2026 23:50:42 -0700 Subject: [PATCH] fix: don't seed mergedGroups from existing iam.groups in merge Groups are always dynamic (from filer), never static (from s3.config). Seeding from iam.groups caused stale deleted groups to persist. Now only uses config.Groups from the dynamic filer config. --- weed/s3api/auth_credentials.go | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go index bae09c012..5d2a2da22 100644 --- a/weed/s3api/auth_credentials.go +++ b/weed/s3api/auth_credentials.go @@ -761,10 +761,6 @@ func (iam *IdentityAccessManagement) MergeS3ApiConfiguration(config *iam_pb.S3Ap for k, v := range iam.staticIdentityNames { staticNames[k] = v } - existingGroups := make(map[string]*iam_pb.Group) - for k, v := range iam.groups { - existingGroups[k] = v - } iam.m.RUnlock() // Process accounts from dynamic config (can add new accounts) @@ -929,17 +925,11 @@ func (iam *IdentityAccessManagement) MergeS3ApiConfiguration(config *iam_pb.S3Ap policies[policy.Name] = policy } - // Process groups: seed from existing (static) groups, then overlay dynamic config + // Process groups from dynamic config (groups are always dynamic, never in static s3.config) mergedGroups := make(map[string]*iam_pb.Group) - for k, v := range existingGroups { - mergedGroups[k] = v - } + mergedUserGroups := make(map[string][]string) for _, g := range config.Groups { mergedGroups[g.Name] = g - } - // Build reverse index from final merged groups - mergedUserGroups := make(map[string][]string) - for _, g := range mergedGroups { if !g.Disabled { for _, member := range g.Members { mergedUserGroups[member] = append(mergedUserGroups[member], g.Name)